Protection policies alter and protect data. When you configure a job, you specify a read policy to protect data when
reading from an origin system. You also specify a write policy to protect data when writing to destination systems.

When configuring policies, consider the different types of policies that your organization requires. In addition to
having both read and write policies, you might also need different flavors of read and write policies to address the
different levels of security required for various endpoints or for various user groups.

The expression to use to generate replacement data. The
results of the expression replace the classified data.

You can use most functions, as well as constants, datetime variables,
literals, and operators available in the StreamSets expression language. In addition, you can use the following Data Protector functions:

Like other protection methods, the Standard Mask protection method protects
the data defined in the procedure. Unrelated properties are ignored.

Standard Mask Format

Description

CREDIT_CARD

Masks data classified by the CREDIT_CARD StreamSets classification rule. Use one of the following options:

VISA 1234 - Replaces data with the
credit card type and the last part of the credit
card number.

x6842 - Replaces data with the last
part of the credit card number preceded by an
x.

Custom Format - Replaces data with a
user-defined custom format. The default,
${CREDIT_CARD:type()}
x${CREDIT_CARD:lastPart()}, shows the
expression used to create the VISA 1234 option. Alter or
replace the default as needed.

Default is VISA 1234.

EMAIL

Masks data classified by the EMAIL StreamSets classification rule. Use one of the following options:

s*@streamsets.com - Replaces data with
addresses that reduce the local part of the address
to an initial, while retaining the original domain
name.

sales@s*.com - Replaces data with
addresses that retain the original local part of the
address while reducing the domain name to an
initial.

Custom Format - Replaces data with a
user-defined custom format. The default,
${str:substring(EMAIL:localPart(), 0,
1)}*@${EMAIL:domain()}, shows the
expression used to create the s*@streamsets.com option.
Alter or replace the default as needed.

Default is s*@streamsets.com.

US_PHONE

Masks data classified by the US_PHONE StreamSets classification rule. Use one of the following options:

(xxx) xxx 7890 - Replaces data with
numbers that retain the original line number while
obscuring the rest of the data.

Custom Format - Replaces data with a
user-defined custom format. The default, (xxx) xxx
${US_PHONE:lineNumber()}, shows the
expression used to create the (xxx) xxx 7890 option. Alter
or replace the default as needed.

Default is (xxx) xxx 7890.

US_SSN

Masks data classified by the US_SSN StreamSets classification rule. Use one of the following options:

xxx-xx-1234 - Replaces data with numbers
that retain the original serial number while
obscuring the rest of the data.

Custom Format - Replaces data with a user-defined custom
format. The default,
xxx-xx-${US_SSN:serialNumber()},
shows the expression used to create the xxx-xx-1234
option. Alter or replace the default as needed.

Default is xxx-xx-1234.

US_ZIP_CODE

Masks data classified by the US_ZIP_CODE StreamSets classification rule. Use one of the following options:

Prefix Only (940xx) - Replaces data with
numbers that retain the original state group and
region numbers while obscuring the rest of the
data.

Suffix Only (xxx86) - Replaces data with
numbers that retain the original city area while
obscuring the rest of the data.

Custom Format - Replaces data with a
user-defined custom format. The default,
xxx${US_ZIP_CODE:cityArea()}, shows
the expression used to create the Suffix Only option. Alter
or replace the default as needed.